Analysis
-
max time kernel
180s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 23:21
Behavioral task
behavioral1
Sample
620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe
Resource
win10v2004-20221111-en
General
-
Target
620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe
-
Size
23KB
-
MD5
17cc6273ddcc75aa7939ef97a68c668c
-
SHA1
56d9c0518b83511b8d7fdcf283fc85ea7a182239
-
SHA256
620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76
-
SHA512
00570b5d51ec88dca4ae54701b75dce30460cfae3bdcb89629cfea10e3330421f054786f773c5f45d18f360c94e3c72be4f8d49bd83b50099717e5222e15b872
-
SSDEEP
384:j+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZISh:8m+71d5XRpcnuA
Malware Config
Extracted
njrat
0.7d
HacKed
roko.duckdns.org:5552
ef079888227114979c4e345155367379
-
reg_key
ef079888227114979c4e345155367379
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
conhostr.exepid process 516 conhostr.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
conhostr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef079888227114979c4e345155367379.exe conhostr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef079888227114979c4e345155367379.exe conhostr.exe -
Loads dropped DLL 1 IoCs
Processes:
620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exepid process 948 620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
conhostr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef079888227114979c4e345155367379 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhostr.exe\" .." conhostr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ef079888227114979c4e345155367379 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhostr.exe\" .." conhostr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
conhostr.exedescription pid process Token: SeDebugPrivilege 516 conhostr.exe Token: 33 516 conhostr.exe Token: SeIncBasePriorityPrivilege 516 conhostr.exe Token: 33 516 conhostr.exe Token: SeIncBasePriorityPrivilege 516 conhostr.exe Token: 33 516 conhostr.exe Token: SeIncBasePriorityPrivilege 516 conhostr.exe Token: 33 516 conhostr.exe Token: SeIncBasePriorityPrivilege 516 conhostr.exe Token: 33 516 conhostr.exe Token: SeIncBasePriorityPrivilege 516 conhostr.exe Token: 33 516 conhostr.exe Token: SeIncBasePriorityPrivilege 516 conhostr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.execonhostr.exedescription pid process target process PID 948 wrote to memory of 516 948 620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe conhostr.exe PID 948 wrote to memory of 516 948 620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe conhostr.exe PID 948 wrote to memory of 516 948 620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe conhostr.exe PID 948 wrote to memory of 516 948 620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe conhostr.exe PID 516 wrote to memory of 896 516 conhostr.exe netsh.exe PID 516 wrote to memory of 896 516 conhostr.exe netsh.exe PID 516 wrote to memory of 896 516 conhostr.exe netsh.exe PID 516 wrote to memory of 896 516 conhostr.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe"C:\Users\Admin\AppData\Local\Temp\620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhostr.exe"C:\Users\Admin\AppData\Local\Temp\conhostr.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhostr.exe" "conhostr.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\conhostr.exeFilesize
23KB
MD517cc6273ddcc75aa7939ef97a68c668c
SHA156d9c0518b83511b8d7fdcf283fc85ea7a182239
SHA256620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76
SHA51200570b5d51ec88dca4ae54701b75dce30460cfae3bdcb89629cfea10e3330421f054786f773c5f45d18f360c94e3c72be4f8d49bd83b50099717e5222e15b872
-
C:\Users\Admin\AppData\Local\Temp\conhostr.exeFilesize
23KB
MD517cc6273ddcc75aa7939ef97a68c668c
SHA156d9c0518b83511b8d7fdcf283fc85ea7a182239
SHA256620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76
SHA51200570b5d51ec88dca4ae54701b75dce30460cfae3bdcb89629cfea10e3330421f054786f773c5f45d18f360c94e3c72be4f8d49bd83b50099717e5222e15b872
-
\Users\Admin\AppData\Local\Temp\conhostr.exeFilesize
23KB
MD517cc6273ddcc75aa7939ef97a68c668c
SHA156d9c0518b83511b8d7fdcf283fc85ea7a182239
SHA256620a8d63edc730205b9a30e5516512c42b6f38eb10120d8020dc1724318b2f76
SHA51200570b5d51ec88dca4ae54701b75dce30460cfae3bdcb89629cfea10e3330421f054786f773c5f45d18f360c94e3c72be4f8d49bd83b50099717e5222e15b872
-
memory/516-58-0x0000000000000000-mapping.dmp
-
memory/516-63-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/516-66-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/896-64-0x0000000000000000-mapping.dmp
-
memory/948-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/948-55-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/948-56-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/948-62-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB